HttpOnly Not Set

Description

The application uses a cookie that is set without the HttpOnly flag. The HttpOnly flag is a browser-based standard introduced by Microsoft in 2002 that instructs browsers to prevent client-side scripts from accessing cookies. HttpOnly, which is accepted by all modern browsers, was officially defined in RFC 6265, the modern day standard for state management. Without the HttpOnly flag, a cookie may be vulnerable to exposure through cross-site scripting attacks.

Custom Description

Impact

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

Subscribe here in order to gain access to the AppSec Findings Database